LnS Logparser in tds-3 script suite

Hi all,
just want to tell all of you who are licenced TDS-operators that "screx", my suite of ss3 scripts for TDS now includes a module to watch LnS logs. You can specify which file should be watched and will be alerted by TDS when "suspicious" lines show up in there. Alerts will be in TDS console and/or speech and/or MS Agents.

It has several "threat levels" and "Suspiciousness" is being defined by a couple of properties (e.g. whether or not the string "RAT:" shows up in TDS's port-service database for the involved ports). Also, if your rulenames have a '-' or a '+' left of their ':' to indicate blocked/allowed status of the event, the parser will be able to understand this. (I name my rules like "TCP-O: Service", "UDP+B: Service", "TCP-I: Service" etc. - where I/O/B stands for In/Out/Both.)

The only problem is that LnS does its own logrotation, so that you will have to specify a new file to watch every day...

Have fun, and I'd appreciate any feedback at A.Wagner<at>stud.uni-frankfurt.de
Cheers,
Andreas

@ Jason
Hi, nice to see you here. LnS is really a great fw - and will be much more so when the (announced) new version comes out.
(If it only wouldn't include the current date in the logfile's filename - which makes it a bit more difficult to find. One day, i'll do it programmatically, but right now, relying on the user configuring the path to the to-be-watched logfile means requiring him/her to reconfigure daily .)

@ Plavi
Hi Plavi,
thanks for giving it a try - and for your feedback.
I'd like to mention just a few general things over here and if problems persist, I would suggest (but you decide) discussing the script further at the dedicated ss3 forum (which is hosted over at DCS's private forums: http://diamondcs.com.au/forum/forumdisplay.php?s=&forumid=3 (I assume you're a registered tds customer - else you wouldn't have been able to run a script as large as screx at all))

1. You have to load "loadme.ss3", not "parselns.ss3"...
(It can load all of screx's modules, but you can configure which modules should be loaded and which shouldn't - for saving resources, e.g. Thus, you can configure to use only the logmon part with LnS parsing and on reload you should be there...)
2. You have to "load" the script in TDS (and not "run" it)...
(Actually, there is a description of how screx can set up itself and how to launch it in the readme file - screadme.txt)
3. Do you have the latest version of Windows Scripting Host for your OS installed?
(English - 2k/XP; English - 98/ME/NT)

Thanks for the advice and guidance. Am TDS registered so will visit there, download window's Scripting Host and do some homework. I find the scripts facinating and realize the how powerful both tools are (in addition to being easy to use) but the learning curve is slow. Cheers for the patience.